Skip to main content
magurayu
magurayu
New Member
September 11, 2015
Question

how convert this rule?

  • September 11, 2015
  • 2 replies
  • 7164 views

How to convert this rule to fortigate use?

 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent Mozilla"; flow:to_server,established; content:"User-Agent: User-Agent: Mozilla/"; fast_pattern:only; http_header; content:!"Accept"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9ACA93AF73778E53993339/analysis/; classtype:trojan-activity; sid:30918; rev:1;)

    2 replies

    emnoc
    emnoc
    New Member
    September 11, 2015

    You can thank bob on this one;

     

    http://camerabob.dyndns.org:5190/Fortigate/

     

     

    F-SBID ( --name SID30918; --protocol tcp; --flow to_server,established; --content "User-Agent: User-Agent: Mozilla/"; fast_pattern:only; http_header; --content !"Accept"; --revision 1;)

    Also FTNT has a snort to IPS rule convertor that  does a half-way decent conversion for basic rules, but you really to dissect the rule and understand the FGT IPS syntax imho. YMMV depending on how complex or not the source SNORT.

     

     

     

    magurayu
    magurayuAuthor
    New Member
    September 11, 2015

    i have tried the website as per your reply. however, it is still can not be used.i dont know why?

    FW version:v5.0,build0292

    rwpatterson
    rwpatterson
    New Member
    September 11, 2015

    I don't know if your reply was that you tried and it did not work, or if the server was down. I have been working on the web server over the past few days. I ran you snippet through it and got the below:

     

    F-SBID ( --name SID30918; --protocol tcp; --flow to_server,established; --content "User-Agent: User-Agent: Mozilla/"; fast_pattern:only; http_header; --content !"Accept"; --revision 1;)

     

    The below was removed:

    (001)(msg:"BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent Mozilla"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9ACA93AF73778E53993339/analysis/; classtype:trojan-activity; )

    Terms & ConditionsAccessibility statement